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Abstract 

We present a method for the automated verification of temporal properties of infinite 
state systems. Our verification method is based on the speciahzation of constraint logic 
programs (CLP) and works in two phases: (1) in the first phase, a CLP specification of 
an infinite state system is specialized with respect to the initial state of the system and 
the temporal property to be verified, and (2) in the second phase, the specialized program 
is evaluated by using a bottom-up strategy. The effectiveness of the method strongly 
depends on the generalization strategy which is applied during the program specialization 
phase. We consider several generalization strategies obtained by combining techniques 
already known in the field of program analysis and program transformation, and we also 
introduce some new strategies. Then, through many verification experiments, we evaluate 
the effectiveness of the generalization strategies we have considered. Finally, we compare 
the implementation of our specialization-based verification method to other constraint- 
based model checking tools. The experimental results show that our method is competitive 
with the methods used by those other tools. To appear in Theory and Practice of Logic 
Programming (TPLP). 

KEYWORDS: Computational tree logic, constraint logic programs, generalization strate- 
gies, infinite state systems, program specialization, program verification 



1 Introduction 

We consider the problem of verifying properties of reactive systems, that is, systems 
which continuously react to inputs by changing their internal state and producing 



outputs. One of the most challenging problems in this area is the extension of the 
model checking technique (jClarke et al. 1999)) from finite state systems to infinite 
state systems. In infinite state model checking the evolution over time of a system is 
modelled as a binary transition relation on an infinite set of states and the properties 
of that evolution are specified by means of propositional temporal formulas. In 
particular, in this paper we consider the Computation Tree Logic (CTL), which 
is a branching time propositional temporal logic by which one can specify, among 
others, the so-called safety and liveness properties (I Clarke et al. 1999]) . 

Unfortunately, the verification of CTL formulas for infinite state systems is, in 
general, an undecidable problem. Thus, in order to cope with this limitation, var- 
ious decidable subclasses of systems and formulas have been identified (see, for 
instance, ( [Esparza 1997D ). Other approaches to overcome the undecidability limita- 
tion are based on the enhancement of finite state model checking by using either de- 
ductive techniques (jPnueli and Shahar 1996||Sipma et al. 1999D or abstractions, by 
which one can compute conservative approximations of sets of states (jAbdulla et al. 2009| 
IBultan et al. 1999)[Cla"rke et al. 1994: Dams et al. 1997|IGeeraerts et al. 2006)IGodefroid et al. 200T|l . 

Constraint logic programming (CLP) provides an excellent framework for specify- 
ing and verifying properties of reactive systems ( [Fribourg 2000D . Indeed, the fixpoint 
semantics of logic programming languages allows us to easily represent the fixpoint 
semantics of various temporal logics ( Delza nno and Podelski 2001|INilsson and Liibcke 2000| 
IRamakrishna et al. 1997P and constraints over the integers or the reals can be used 
to provide finite representations of infinite sets of states (jPelzanno and Podelski 20011 
[Fribourg and Olsen 1997[ ). 

However, for programs that specify infinite state systems, the proof procedures 
normally used in CLP, such as the extensions of SLDNF resolution and tabled reso- 
lution (jCui and Warren 2000[) , very often diverge when trying to check some given 
temporal properties. This is due to the limited ability of these proof procedures to 
cope with infinitely failed derivations. For this reason, instead of using direct pro- 
gram evaluation, many logic programming-based verification systems make use of 



reasoning techniques such as: (i) abstract interpretation ( jBanda and Gallagher 2010 



IDelzanno and Podelski 200 1[) , and (ii) program transformation (jFioravanti et al. 20011 



ILeuschel and Lehmann 20001 ILeuschel and Massart 20001 Peralta and Gallagher 2003 



[Roychoudhury et al. 2000 ). In the techniques based on abstract interpretation one 



can construct approximations of the least and greatest fixpoints of (the immediate 
consequence operator associated with) a CLP program and then check the proper- 
ties of interest on these approximations, while in the techniques based on program 
transformation one can pre-process the specification of a given system and a given 
property so that the verification itself becomes easier to perform. 

This paper presents a verification method based on program specialization, a 
transformation technique that improves a program by exploiting the knowledge 
about the specific context where the program is used (jJones et al. 199 ^ ,Leuschel and Bruynooghe 2002[ ). 
Our verification method is an extension of the one first proposed in (jFioravanti et al. 2001[) 
and is applicable to the specification of a CTL property of an infinite state system 
encoded as a CLP program with locally stratified negation, where the constraints 
are linear inequations over the rationals. Our verification method works in two 
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phases. In Phase (1) we speciahze the CLP program with respect to the initial 
state of the system and the temporal property to be verified, and in Phase (2) 
we construct the perfect model of the specialized program derived at the end of 
Phase (1), by applying a bottom- up evaluation procedure. As we will demonstrate 
through many examples below, this bottom-up procedure terminates in most cases 
without the need for abstractions. 

The effectiveness of the verification method we propose, strongly depends on the 
design of the generalization strategy which has to be applied during the program 
specialization phase. Designing a good generalization strategy is not a trivial task: 
it must guarantee the termination of the specialization phase, and it should also 
provide a high precision and good performance. These requirements are often con- 
flicting because, on the one hand, the use of a too coarse generalization strategy 
may determine the non-termination of Phase (2) and, thus, prevent the verification 
of many interesting properties and, on the other hand, a too specific generalization 
strategy may lead to verification times which are too long. 

In this paper we introduce some new generalization strategies and we also propose 
various generalization strategies which are obtained by combining old techniques, al- 
ready considered in the field of program analysis and program transformation (such 
as the well-quasi orders (jLeuschel 20021 ILeuschel et al. 199 8^'S0rensen and Gliick 1995t 
and the convex hull and widening operators (jCousot and Ha lbwachs 1 978l|Peralta and Gallagher 2003[ )). 

Our verification method has been implemented on the MAP transformation sys- 
tem (|MAP 201ip . We have evaluated the effectiveness of this method by present- 
ing the results of the experiments we have performed on several infinite state 
systems and temporal properties. We have also compared the implementation of 
our verification method with the following constraint-based model checking tools: 
(i) ALV (jYavuz-K ahveci a nd Bultan 2009p . (ii) DMC (jPelzanno and Po delskilOOTI), 
and (iii) HyTech (Henzinger et al. 1997 ). The experiments we have performed show 
that our method is effective and competitive with respect to the methods imple- 
mented in those verification tools. 

The paper is structured as follows. In Section [2] we recall how CTL properties of 
infinite state systems can be encoded by using locally stratified CLP programs. In 
Section |3] we present our two-phase verification method. In Section |4] we describe 
various strategies that can be applied during Phase (1), that is, the specialization 
phase, and in particular, the generalization strategies used for ensuring termination 
of that phase. In Section [5] we report on some experiments we have performed by 
using a prototype implemented on the MAP transformation system. 



2 Specifying Reactive Systems and CTL Properties by CLP Programs 

A reactive system is modelled as a Kripke structure, denoted by a 4-tuple {S , I , R, L) , 
where S' is a (possibly infinite) set of states, / C S' is the set of initial states, R is 
a total binary transition relation, and L is a labeling function that associates with 
each state the set of elementary properties that hold in that state. A computation 
path in IC is an inEnite sequence of states sq si . . . such that, for every i>0, Si R s^+i 
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holds. The state s^+i is called a successor of Si. The properties to be verified will 
be specified as formulas of the Computation Tree Logic (CTL), whose syntax is: 

ip e \ not{ip) \ and{(pi,ip2) \ ex{ip) \ eu{ipi,ip2) \ af{ip) 

where e belongs to the set Elem of the elementary properties. Note that, in order 
to be consistent with the syntax of constraint logic programs, we slightly depart 
from the syntax of CTL given in ([Clarke et al. 1999)) . 

The operators ea;, ew, and af have the following semantics. The formula ex{Lp) 
holds in a state s if there exists a successor s' of s such that (/? holds in s' . The 
formula eu{(pi^ (p2) holds in a state s if there exists a computation path tt starting 
from s such that Lpi holds in all states of a finite prefix of tt and holds in the 
first state of the rest of the path. The formula af{Lp) holds in a state s if on every 
computation path tt starting from s there exists a state s' where ip holds. Formally, 
the semantics of CTL is given by the satisfaction relation /C, s ^9?, which tells us 
when a formula (p holds in a state s of the Kripke structure /C. 

All CTL operators can be defined in terms of ex, eu, and af. For instance: (i) the 
formula ef{ip) (which holds in a state s if there exists a computation path vr starting 
from s and a state on tt where ip holds) is defined as eu{true, ip), and (ii) the formula 
eg{ip) (which holds in a state s if there exists a computation path tt starting from s 
such that, for every state on tt, ip holds) is defined as not{af{true,ip)). 

In order to encode a Kripke structure and the satisfaction relation as a CLP 
program we will consider a set C of constraints and an interpretation T) for the 
constraints in C. We assume that: (i) C contains a set of atomic constraints, among 
which are true, false, and the equalities between terms, denoted by ti = t2, (ii) C is 
closed under conjunction (denoted by comma), and (iii) C is closed under projection. 
The projection of a constraint c onto a tuple X of variables, denoted project{c, X), 
is a constraint such that V ^ VX {project{c, X) o 3Yc), where Y is the tuple of 
variables occurring in c and not in X . We define a partial order □ on C as follows: 
for any two constraints ci and C2 in C, ci □ C2 iff 2? ^ V (ci — > C2). 

The semantics of a CLP program is defined as a V-model (jJaffar and Maher 1994^ , 
that is, a (possibly infinite) set of ground atoms whose truth implies the truth of 
all clauses of the program. Similarly to the case of logic programs, every locally 
stratified CLP program P has a unique perfect V-model (also called perfect model, 
for short) which is denoted by M{P) (see, for instance, ( [Apt and Bol 1994 1). 

Now, a Kripke structure {S, I, R, L) can be encoded by a CLP program as follows. 

(1) A state in S is encoded by an n-tuple {ti, . . . , i„) of terms representing the 
values of the variables of the reactive system. In what follows the variables X and 
Y are assumed to range over S . 

(2) An initial state X in / is encoded by a clause of the form initial(X) <r- c{X), 
where c{X) is a constraint. 

(3) The transition relation R is encoded by a set of clauses of the form t{X , Y) <— 
c{X , Y), where c{X, Y) is a constraint. We also introduce a predicate ts such 
that, for every state X, Fs is a list of all the successor states of X iff ts{X, Ys) 
holds, that is, for every state X, the state Y belongs to the list Ys iff t{X, Y) 
holds. In (jFioravanti et al. 2007[l the reader will find: (i) an algorithm for deriving 
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Xi>l 



Xi<2 



Figure 1. A reactive system. In any initial state we have that Xi < and X2 = 0. 
The transitions do not change the value of Xi . 

the clauses defining ts from the clauses defining t, and (ii) some conditions that 
guarantee that Ys is a finite list. 

(4) Each elementary property e associated with a state X is encoded by a clause 
of the form elem{X , e) c(X), where c{X) is a constraint. 

The satisfaction relation |= can be encoded by a predicate sat defined by the fol- 
lowing clauses (jFioravanti et al. 2001[) (see also ([Leuschel and Massart 20001 INilsson and Liibcke 2000p 
for similar encodings): 

1. sat{X,F) <- dem{X,F) 

2. sat{X,not{F)) ^ ^sat{X,F) 

3. sat{X, and{Fi,F2)) ^ sat{X , Fi), sat{X , F2) 

4. sat{X,ex{F)) ^ t{X,Y),.sat{Y,F) 

5. sat{X, eu{Fi,F2)) ^ sat{X, F2) 

6. sat{X,eu{Fi,F2)) ^ sat{X , Fi),t{X , Y), sat{Y , eu{Fi, F2)) 

7. sat{X,af{F)) ^ sat{X,F) 

8. sat{X, a/(F)) ^ ts{X, Ys), saLall{ Ys, af{F)) 

9. saLall{[],F)^ 

10. saLall{[X\Xs],F)^ sat{X , F), sat.all{Xs, F) 

Suppose that we want to verify that a CTL formula </? holds for all initial states. 
In order to do so we define a new predicate prop as follows: 

prop = j:\fX {initial (X) — > sat{X,ip)) 

This definition can be encoded by the following two clauses: 

71 ; prop i- -inegprop 72 : negprop 4— initial{X), sat{X , not{ip)) 

Let Pjc denote the constraint logic program consisting of clauses 1-10 together 
with the clauses defining the predicates initial, t, ts, and elem. The program U 
{71 1 72} is locally stratified and, hence, it has a unique perfect model denoted 
M{Pic U {71, 72})- The correctness of the encoding program P/c U {71, 72} is stated 
by the following Theorem [T] (its proof can be found in (jFioravanti et al. 2007|) V 

Theorem 1 [Correctness of Encoding) 

Let /C be a Kripke structure, let / be the set of initial states of /C, and let tp he & 
CTL formula. Then, for all states s G /, /C, s |= iff prop S M{Pk. U {71, 72})- 

Example 1 

Let us consider the reactive system depicted in Figure [1] where a state {Xi,X2), 
which is a pair of rationals, is denoted by the term s{Xi, X2). 

The Kripke structure K. which models that system, is defined as follows. The 
initial states are given by the clause: 

11. initial{s{Xi,X2)) ^ Xi<0, Xa^G 



The transition relation R is given by the clauses: 

12. f(s(Xi,X2),s(yi, 1^2)) ^Xi>l, Fi-Xi, F2 = X2-1 

13. t{siXi,X2),siYi,Y2)) ^ Xi<2, Yi^Xu F2-X2 + I 

The predicate ts is given by the clauses: 

U. ts{siXi,X2),[siYi,Y2)]) ^ Xi<l, Yi^Xi, Y2 = X2 + 1 

15. te(s(Xi,X2),[s(yn, Y2i),siY,2, Y22)]) ^ X,>1, X,<2, 

Yn^Xi, Y2i = X2-l, Yi2 = Xi, r22 = X2 + l 

16. ts{s{Xi,X2),[s{Yi,Y2)]) ^ Xi>2, Fi^Xi, r2 = X2-l 

The elementary property negative is given by the clause: 

17. elem{s{Xi, X2), negative) <— X2 <0 

Suppose that we want to verify the property that in every initial state s{Xi,X2), 
where Xi<0 and X2 =0, the CTL formula not{eu{true, negative)) holds, that is, 
from any initial state it is impossible to reach a state s{Xl, X2) where < 0. By 
using the fact that every CTL formula of the form not{not{ip)) is equivalent to 1^9, 
this property is encoded by the following two clauses: 

71: prop •<— -inegprop 72: negprop initial (X), sat(X, eu{true, negative)) 

Note that, in this example, for the verification of prop the clauses defining the 
predicate sat{X ^ af{F)) (that is, clauses 7 and 8 of program Px.) are not needed. 
Thus, clauses 14, 15, and 16, which define the predicate ts, are not needed either. □ 

Our encoding of the Kripke structure can easily be extended to provide witnesses 
of formulas of the form eu{(pi,ip2) and counterexamples of formulas of the form 
af{(p), as usual for model checkers of finite state systems ([Clarke et al. 1999|) . In- 
deed, in order to do so, it is sufficient to add to the predicate sat an extra argument 
that recalls the sequence of states (or transitions) constructed during the verifica- 
tion of a given formula. For details, the reader may refer to (jFioravanti et al. 2007[l . 

3 Verifying Infinite State Systems by Specializing CLP Programs 

In this section we present a method for checking whether or not prop G M{Pic U 
{71,72}), where Pjc U {71,72} is a CLP encoding of an infinite state system and 
prop is a predicate encoding the satisfiability of a given CTL formula. 

As already mentioned, the proof procedures normally used in constraint logic 
programming, such as the extensions to CLP of SLDNF resolution and tabled 
resolution, very often diverge when trying to check whether or not prop G M{Pic U 
{71 1 72}) by evaluating the query prop. This is due to the limited ability of these 
proof procedures to cope with infinite failure. 

Also the bottom-up construction of the perfect model M{Pic U {71, 72}) often di- 
verges, because it does not take into account the information about the query prop to 
be evaluated, the initial states of the system, and the formula to be verified. Indeed, 
by a naive bottom-up evaluation, the clauses of Pk: may generate infinitely many 
atoms of the form sat{s, ij)). For instance, given a state sq, an elementary property / 
that holds in sq, and an infinite sequence {si \ « SN} of distinct states such that, for 
every isN, t(si+i, Si) holds, clauses 5 and 6 generate by bottom-up evaluation the 
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infinitely many atoms sat[si, eu{true, f)), for every i g N, and tfie infinitely many 
atoms: (i) sat{so,f), (ii) sat{sQ, eu{true,f)), (iii) sat{so, eu{true, eu{true,f))), ... 

We will show that the termination of the bottom-up construction of the per- 
fect model can be improved by a prior application of program specialization. In 
particular, we will present our verification algorithm which consists of two phases: 
Phase (1), in which we specialize the program -Pk:U{7i, 72} with respect to the query 
prop, thereby deriving a new program Pg whose perfect model M{Ps), also de- 
noted Ms, satisfies the following equivalence: prop G M(P^cU{7i, 72}) iff prop e Mg, 
and Phase (2), in which we construct Mg by a bottom- up evaluation. The specializa- 
tion phase modifies the program P]c U {71, 72} by incorporating into the specialized 
program Pg the information about the initial states and the formula to be verified. 
The bottom-up evaluation of Pg may terminate more often than the bottom-up 
evaluation of Pk. U {71,72} because: (i) it avoids the generation of an infinite set 
of states that are unreachable from the initial states, and (ii) it generates only 
specialized atoms corresponding to subformulas of the formula to be verified. 

The Verification Algorithm 

Input: The program P/c U {71,72}- Output: The perfect model Mg of a CLP 
program Pg such that prop€M[P]c U {71,72}) iff prop£Mg. 
(Phase 1) Specialize{PK: U {71, 72}, Pg); 
(Phase 2) BottomUp{Pg, Mg) 

The Specialize procedure of Phase (1) consists in the iterated application of two 
subsidiary procedures: (i) the Unfold procedure, which applies the unfolding rule 
and the clause removal rule, and (ii) the Generalized: Fold procedure, which applies 
the definition introduction rule and the folding rule. These program transformation 
rules are variants, tailored to program specialization, of the usual rules for logic pro- 
grams and constraint logic programs (see, for instance, (jEtalle and Gabbrielli 19961 
ISeki 199ip . 



Procedure Specialize 

Input: The program P/c U {71,72}- Output: A stratified program Pg such that 
prop e M{Pk. U {71,72}) iff prop G M{Pg). 

Pg := {71}; InDefs := {72}; Defs := 0; 
while there exists a clause 7 in InDefs 
do Unfold{'y,T); 

Generalize&LFold{Defs, T, NewDefs, <I>); 

Pg ■= Pg u $; InDefs := {InDefs - {7}) U NewDefs; Defs := Defs U NewDefs; 
end-while 



The Unfold procedure takes as input a clause 7 G InDefs and returns as output a 
set r of clauses derived from 7 by one or more applications of the unfolding rule. A 
single application of this rule is encoded by the UnfoldOnce function defined below. 
We use the following notation. Given two atoms A and B, we denote by A = B the 
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constraint: (i) ii = ui, . . . , i„ = m„, if A is of the form p{ti, . . . , tn) and B is of the 
form p{ui, . . . , M„), for some n-ary predicate symbol p, and (ii) false, otherwise. 



Function UnfoldOncei-y, A) 

Let 7 be a clause of the form H c, Q, A, R, where A is an atom whose predicate 
is defined in Pjc- Let {{Ki <r- Ci,Bi) \ i = l,...,m}, with m > 0, be the set of 
(renamed apart) clauses in program Pjc such that, for i = 1, . . . ,m, the constraint 

(c, A = Ki, Ci) is satisfiable. 

UnfoldOnce{'y,A) = {{K <- c,A = K^, Ci, Q, B^, R) \ i = I, . . . ,m} 



At the first application of the Unfold procedure, the input clause 7 is the clause 
72 : negprop <— initial{X), sat{X , not(ip)), where iniUal{X) and ip encode the 
initial states and the formula to be verified, respectively. The Unfold procedure 
propagates the information about the initial states and the property to be verified 
through the Kripke structure encoded by Pic- 



Procedure Unfold{-f,r) 

Input: A clause 7 in InDefs. Output: A set F of clauses. 

Unfold: 

r :— UnfoldOnce{"f , A), where A is any atom in the body of 7; 

while there exist a clause 5 in F and an atom A in the body of 6, such that A is of one 
of the following forms: (i) initial{s), (ii) i(si,S2), (iii) ts{s,ss), (iv) elem{s,e), 
(v) sat{s,e), where e is an elementary property, (vi) sat{s,not{ip{)), 
(vii) sat{s, and{'il)i,ip2)), (viii) sat{s, ex{^/ji)), (ix) saLall{ss,ipi), where ss is 
a non-variable list do F := (F — {S}) U UnfoldOnce{S, A) 

end-while; 

Remove Subsumed Clauses: 

while in F there exist two distinct clauses d: H ^ c and rj: H ■(^ d, G such that 

d C c (that is, rj is subsumed by 6) do F := F — {rj} 
end-while 



Due to the structure of the clauses in P)c, the Unfold procedure terminates for every 
7 G InDefs. In particular, in order to enforce termination, every atom of the form 
sat{s, eu{'ipi,ip2)) or sat{s, a/(V'i)) is selected at most once during each application 
of the procedure. 

The Generalize&zFold procedure takes as input the set F of clauses produced by 
the Unfold procedure and introduces a set NewDefs of definitions, that is, clauses of 
the form 6: newp{X) ^ d{X), sat{X , where newp is a new predicate. Any such 
clause S represents a set of states X satisfying the constraint d{X) and the CTL 
property ^p, and incorporates the information which has been propagated by the 
Unfold procedure, concerning the initial state and the property to be verified. All 
definitions introduced by the Generalized Fold procedure are stored in a set Defs 
and can be used for folding during the current or the future applications of the 
procedure itself. By folding the clauses in F using the definitions in DefsU NewDefs, 
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the procedure derives a new set $ of clauses which are added to the speciahzed 
program P5. In the clauses of Pg, there is no reference to the predicates used in 
Pk U {71 , 72}, except for prop and negprop, that is, Pg provides a definition of prop 
and negprop in terms of the new predicates introduced by the applications of the 
GeneralizeSzFold procedure. 

Unfortunately, an uncontrolled application of the Generalized: Fold procedure 
may lead to the introduction of infinitely many new definitions, thereby causing the 
nontermination of the Specialize procedure. In order to guarantee termination, the 
GeneralizeSzFold procedure may introduce new definitions which are more general 
than definitions introduced by previous applications of the procedure, where the 
more general than relation between definitions is as follows: a definition newq{X) <— 
g{X), sat{X is more general than the definition newp{X) b{X), sat{X ,ip) if 
b{X) C g{X). Thus, more general definitions correspond to larger sets of states. 

In order to introduce generalized definitions in a suitable way, we will extend to 
constraint logic programs some techniques which have been proposed for controlling 
generalization in positive supercompilation ( |S0rensen and Gliick 19951 ) and partial 
deduction (jLeuschel et al. 19"98l) . The details of the Generalized: Fold procedure and 
the results stating the correctness and the termination of the Specialize procedure 
will be given in the next section. 

In order to compute the perfect model Mg of Pg it is convenient to represent sets 
of ground atoms by sets of facts, that is, sets of (possibly non-ground) clauses of the 
form H c, where H is an atom and c is a constraint. A fact H -(r- c represents 
the set of all the ground instances of H that satisfy c. The BottomUp procedure 
constructs Ms by using the non-ground immediate consequence operator Sp^ , in- 
stead of the usual immediate consequence operator Tp^ (jJaffar and Maher 1994[) . 
Since program Ps is stratihed (see in Theorem [2] below), the BottomUp procedure 
processes the strata of Ps from the lowest one to the highest one (that is, the stra- 
tum where the predicate prop occurs). For each stratum the BottomUp procedure 
computes the least fixpoint of the restriction of Sp^ to that stratum. Since this fix- 
point may be represented by an infinite set of facts, the BottomUp procedure may 
not terminate, although there is only a finite number of strata in Ps- In Section [5] 
we will see that the BottomUp procedure, applied after the Specialize procedure, 
terminates in many significant cases. 

Example 2 

Let us consider the program P/c U {71,72} and the query prop of Example [T] We 
have that: (i) by using a traditional Prolog system, the evaluation of prop does 
not terminate in P/c U {71 , 72 } because negprop has an infinitely failed SLD tree, 
(ii) by using the XSB tabled logic programming system, prop does not terminate 
because infinitely many sat atoms are tabled, and (iii) the bottom-up construction 
of M{Pic U {71, 72}) does not terminate because of the presence of clauses 5 and 6 
as we have indicated at the beginning of this section. 

By applying the Specialize procedure to the program -Pk;U{7i, 72} (with a suitable 
generalization strategy, as illustrated in the next section), we derive the following 
specialized program Ps : 



9 



7i. prop -^negprop 

72- negprop -s— Xi < 0, X2 = 0, newl(Xi,X2) 

73. newl(Xi,X2) ^ Xi < 0, X2 = 0, Fj = Xi, Fa = 1, new2{Yi, Y2) 

74. new2(Xi,X2) ^Xi<0, X2 > 0, Fi = Xi, Fa - X2 + 1, ne«;2(yi, ^2) 

The Specialize procedure has propagated through the program Ps the constraint 
Xi < 0, X2 = characterizing the initial states (see clause 11 of Example [T|) . This 
constraint, in fact, occurs in clause 73 and its generalization Xi <0, X2 >0 occurs in 
clause 74. The BottomUp procedure computes the perfect model of Ps, and we get 
Ms = {prop} in a finite number of steps (indeed, starting from the lowest stratum, 
we have that, for all Xi, X2, new2(Xi,X2), newl{Xi,X2), and negprop are all false). 
Thus, the property not(eu{true, negative)) holds in every initial state of JC. □ 

4 Generalization Strategies 

The design of a powerful generalization strategy should meet two conflicting re- 
quirements. Such a strategy, in fact, should introduce new definitions which are 
(i) as general as possible, so as to enforce the termination of the Specialize pro- 
cedure, and (ii) as specific as possible, so as to retain the maximum information 
about the initial state and the property to be verified, and produce a program Ps for 
which the BottomUp procedure terminates. In this section we present several gener- 
alization strategies for coping with those conflicting requirements. These strategies 
combine various techniques used in the fields of program transformation and static 
analysis, such as well-hinary relations, well-quasi orderings, widening, and convex 
hull operators, and variants thereof (|Cousot and Halbwachs 19781 ILeuschel 2002| 
ILeuschel et al. 1998| [Peralta and Gallagher 2"003l |S0rensen and Gliick 19951) . All these 
strategies guarantee the termination of the Specialize procedure. However, since in 
general the verification problem is undecidable, the power and effectiveness of the 
different generalization strategies can only be assessed by performing experiments. 
The results of those experiments will be presented in the next section. 

4-1 The Generalize&Fold Procedure 

The GeneralizeSzFold procedure makes use of a tree of definitions, called DeRnition 
Tree, whose nodes are labelled by the clauses in De/sU {72}. By construction there 
is a bijection between the set of nodes of the Definition Tree and Defs U {72} 
and, thus, we will identify each node with its label. The root of the Definition 
Tree is labelled by clause 72 (recall that {72} is the initial value of InDefs) and 
the children of a clause 7 in Defs U {72} are the clauses NewDefs derived after 
applying the procedures Unfold(^,T) and Generalize&zFold{Defs,T, NewDefs,^). 
Our GeneralizeSzFold procedure is based on the combined use of a Rring relation 
and a generalization operator. The firing relation determines when to generalize, 
while the generalization operator determines how to generalize. 

Definition 1 [Well-Binary Relation < and Well-Quasi Ordering ^) 

A well-binary relation on a set 5 is a binary relation < such that, for every infinite 

sequence CqCi . . . of elements of S, there exist i and j such that i <j and Ci <\ Cj. 
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A well-quasi ordering (or wqo, for short) on a set 5* is a reflexive, transitive, well- 
binary relation on S. Given ei and 62 in S, we write ei ~ 62 if ei ^ 62 and 
62 ;^ ei. A wqo ;^ is t/im iff for all e e S*, the set {e' e 5" | e « e'} is finite. 

Definition 2 {Firing Relation) 

A firing relation is a well-binary relation on the set C of constraints. 

The firing relation guarantees that generalization is eventually applied and, thus, 
its role is similar to the one of the whistle algorithm ( |S0rensen and Gliick 1995t . 

Definition 3 [Generalization Operator Q) 

Let ^ he a, thin wqo on the set C of constraints. A binary operator on C is a 
generalization operator with respect to if, for all constraints c and c? in C, we have: 
(i) d C c Q d, and (ii) c Q d ^ c. (Note that, in general, is not commutative.) 

The use of a thin wqo in Definition [3] guarantees that during the Specialize 
procedure each definition can be generalized a finite number of times only and, 
thus, the termination of the procedure is guaranteed. Definition [3] generalizes sev- 
eral operators proposed in the literature, such as the most specific generalization 
operator (jLeuschel et al. 19981 |S0rensen and Gliick 1995D and the widening opera- 
tor (|Cousot and Halbwachs 1978)) . 



Procedure Generalize&Fold 

Input: (i) a set Defs of definitions, (ii) a set F of clauses obtained from a clause 7 by 
the Unfold procedure, (iii) a firing relation <l, and (iv) a generalization operator 0. 
Output: (i) A set NewDefs of new definitions, and (ii) a set $ of folded clauses. 
NewDefs := 0; $ := T; 

while in <& there exists a clause rj: H <^ e, Gi, L, G2, where L is either sat{X, ip) or 
-isat{X,ip) do 

Generalize: 

Let ep{X) be project{e, X). 

1. if in Defs there exists a clause 6: newp{X) <— d{X), sat{X ,ip) such that 

ep(^) !^ d{X) (modulo variable renaming) 
then NewDefs := NewDefs; 

2. elseif there exists a clause a in Defs such that: 

(i) a is of the form newq{X) ■h- h{X), sat{X,ijj), and (ii) a is the most 
recent ancestor of 7 in the Definition Tree such that b{X) <J ep{X) 
then NewDefs := NewDefs U {newp{X) ^ b{X) ep(X), sat{X, ip)}; 

3. else NewDefs := NewDefsU {newp{X) ^ ep{X), sat{X 
Fold: 

$ — ($ - {ry}) [J{H ^ e, Gi, M, G2}, where M is newp{X), if L is sat{X,'ip), 

and M is -inewp{X), if L is -^sat{X 
end-while 

The following theorem establishes that the Specialize procedure always termi- 
nates and preserves the perfect model semantics. The proof of this theorem is a 
simple variant of the proof of Theorem 3 in (jFioravanti et al. 2007[) . 
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Theorem 2 [Termination and Correctness of the Specialize Procedure) 
(i) For every input program Pj<; U {71, 72}, for every firing relation <l, and for every 
generalization operator G, the Specialize procedure terminates, (ii) Let Ps be the 
output program of the Specialize procedure. Then (ii.l) Ps is stratified (and thus, 
locally stratified), and (ii.2) prop G M{Pk:) iff prop G M{Ps). 

4.2 Firing Relations and Generalization Operators on Linear Constraints 

In our verification experiments we will consider the set Link of constraints defined 
as follows. Every constraint c G Link is the conjunction of m (>0) distinct atomic 
constraints oi, . . . , (and we will denote this fact by writing c = oi, . . . , a,„) 
where, for z = 1, . . . , 771, (1) is either of the form < or of the form pi < 0, 
and (2) pi is a polynomial of the form qo + qiXi + . . . + qkXk, where Xi, . . . ,Xk 
are distinct variables and qo, qi, ■ ■ ■ , qk are integer coefficients. An equation r — s 
stands for the conjunction of the two inequations r <s and s <r. The constraints 
in Link are interpreted over the rationals in the usual way. 

Now we present four firing relations on the set Link- These firing relations are 
called Always, Maxcoeff, Sumcoejf, and Homeocoeff. They are all wqo's. 
(Fl) The wqo Always, denoted by ^a, is the relation Link x Link- 
(F2) The wqo Maxcoeff, denoted by '^m, compares the maximum absolute values 
of the coefficients occurring in polynomials. It is defined as follows. For any atomic 
constraint a of the form p < or p < 0, where p is go + + • • • + ?fe^fc, 
we define maxcoeff {a) to be max{|go|) IqiL • • • j |9fc|}- Given two atomic constraints 
ai of the form pi < and 02 of the form p2 < 0, we have that ai 0,2 iff 

maxcoeff {ai) < maxcoeff {a2). Similarly, if we are given the atomic constraints oi of 
the form pi < and 02 of the form p2 < 0. Given two constraints ci = 
and C2 = &i,...,6„, we have that ci C2 iff, for i = 1, . . . , m, there exists 

j G {1, . . . , n} such that ai bj. 

(F3) The wqo Sumcoeff, denoted by ^s, compares the sum of the absolute values of 
the coefficients occurring in the polynomials. It is defined as follows. For any atomic 
constraint a of the form p < or p < 0, where p is qQ-\- qiXi-\- . . .-\- qkXk, we define 
sumcoeff [a) to be Yl!j=o Given two atomic constraints ai of the form pi < 
and 02 of the form p2 < 0, we have that oi 0-2 iff sumcoeff [ai) < sumcoeff {a2) ■ 
Similarly, if we are given the atomic constraints ai of the form pi<0 and a2 of the 
form P2 <0- Given two constraints ci = and C2 = 61, . . . , &„, we have 

that ci C2 iff, for i = 1, . . . , m, there exists j G {1, . . . , n} such that bj. 

(F4) The wqo Homeocoeff, denoted by compares sequences of absolute values of 
coefficients occurring in polynomials. It is an adaptation to Link of the homeomor- 
phic embedding operator (ILeuschel 2002|lLeuschel et al. 1998| IS0rense n and Gliick 1995|) . 
The wqo takes into account the commutativity and the associativity of addition 
and conjunction and it is defined as follows. Given two polynomials pi of the form 
qo + qiXi + . . . + qkXk, and p2 of the form tq + riXi + . . . + rkXk, we have that 
Pi P2 iff there exists a permutation {£q, . . . ,ik) of the indexes (0, . . . , fc) such 
that, for i = 0, . . . ,k, \qi \ < | . | . Given two atomic constraints ai of the form pi < 
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ai 


a2 


0.1 02 


ai 0,2 




Ctl a2 


1-2X1 <0 


3+Xi<0 


yes 


yes 


yes 


yes 


2-2X1 +X2<0 


1+3X1 <0 


yes 


yes 


no 


no 


1+3X1 <0 


2-2X1 +X2<0 


yes 


no 


yes 


no 



Table 1. Examples of firing relations ';<a, ^s, and ^h- 



and 02 of the form p2 < 0, we have that ai 0.2 iff Vi T^h P2- Similarly, if we 
are given the atomic constraints ai of the form pi < and of the form p2 < 0. 
Given two constraints Ci = oi , . . . , a™ , and C2 = 61 , . . . , 6„ we have that ci C2 
iff there exist m distinct indexes £1, . . . ,£m, with m<n, such that Oi bi^, for 
i = 1, . . . , m. 

Table [T] provides some examples of the firing relations and, in particular, it shows 
that the relations Maxcoeff and Sumcoeff are not comparable. Figure HJA) illus- 
trates the containment relationships between the firing relations Always, Maxcoeff, 
Sumcoeff, and Homeocoeff. (The numbers appearing under each firing relation and 
Figure ^B) will be explained later.) Note that a generalization operator is applied 
less often if it is associated with a smaller firing relation. 



(A) Firing Relations 



(B) Generalization Operators 



Always 
(191, 5450) 



T 

16, 1930 



Maxcoeff 




Sumcoeff 




CHM 




CHS 




W 


(193, 64050) 




(193, 64050) 




(24, 39560) 




(26, 41470) 




(19,5550) 




Homeocoeff 




CHWM 




CHWS 




WM 




WS 


(166, 140210) 




(26, 40600) 




(26,43120) 




(27, 24140) 




(27,27130) 



Figure 2. Comparison of Rring relations and generalization operators. 

(A) An arrow p^q from firing relation p to firing relation q means p ^ q. For 
each firing relation we have written the pair (m, n), where: (i) m is the number of 
properties verified by using that firing relation in conjunction with all generalization 
operators, and (ii) n is the sum of the specialization times taken by using that firing 
relation in conjunction with all generalization operators (see Section [5]). 

(B) An arrow g ^ h from generalization operator g to generalization operator h 
means Qg C Qh- For each generalization operator we have written the pair (m, n), 
where: (i) m is the total number of properties verified (see Table [3]), and (ii) n is 
the sum of the specialization times (see Table HJ . 



Now we present some generalization operators on Link which we will use in the 
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verification examples of tlie next section. For defining these operators we will use 
the relations ^m, ^s, and ^h, which are thin wqo's on Link- On the contrary, the 
wqo is not thin and it cannot be used for defining generalization operators. 

(Gl) Given any two constraints c and d, the operator Top, denoted Qt, returns 
true. It can be shown that Top is a generalization operator with respect to any of 
the thin wqo's ;^m, ^s, and ;^h- Since the Top operator forgets ah information 
about its operands, it often performs an over-generalization and produces poorly 
specialized programs (see the experimental evaluation in Section [5]). 

(G2) Given any two constraints c = Oi, . . . , a„i, and rf, the operator Widen, denoted 
Giv, returns the constraint an, . . . , Uir, such that {an, . . . , a.ir} — {uh \ l<h<m 
and dQafi}- Thus, Widen returns all atomic constraints of c that are entailed by d 
(see (jCousot and Halbwachs 19781) for a similar widening operator used in static 
program analysis). The operator Byj/ is a generalization operator w.r.t. any of the 
thin wqo's ^m, and ^h- 

(G3) Given any two constraints c = ai, . . . , Um, and d = 61, . . . , &„, the operator 
WidenMax, denoted Qwm, returns the conjunction an, ... , air, bji, . . . , bjg, where: 
(i) {an, . . . , a„} ^ {ah \ I <h < m and d □ ah}, and (ii) . . . , bjs} = {bk \ 
1 <k <n and b^ c}. The operator WidenSum, denoted QwSi is defined like 
WidenMax, with replaced by ';^s- The operators Qwm and Qws are general- 
ization operators w.r.t. the thin wqo's '^^m and '^Si respectively. 

The operators WidenMax and WidenSum are similar to Widen but, together with 
the atomic constraints of c that are entailed by d, they also return the conjunction 
of a subset of the atomic constraints of d. Note that the operator WidenHomeo, 
denoted Qwh, which is defined like WidenMax, with replaced by ;<Hi is not a 
generalization operator w.r.t. ^h- Indeed, the constraint c0 wh d may contain more 
atomic constraints than c and, thus, it may not be the case that (c Qwh d) c. 

Next we define some generalization operators by using the convex hull operator, 
which sometimes is used in the static program analysis (jCousot and Halbwachs 1978| 
The convex hull of two constraints c and d in Lint, denoted by ch{c, d), is the least 
(w.r.t. the C ordering) constraint h in Liuk such that c'O h and d \— h. (Note that 
ch{c, d) is unique up to equivalence of constraints.) 

(G4) Given any two constraints c and d, let ch{c, d) be of the form 61, ... , 6„. The 
operator CHMax, denoted Qchm, returns the conjunction bji, . . . , bjs, such that 
{bji, . . . , bjs} = {bk I 1 < k < n and b^ c}. The operator CHSum, denoted 
QcHSi is defined like CHMax, with replaced by ';^s- The operators Qchm and 
QcHS are generalization operators w.r.t. the thin wqo's and respectively. 

Both CHMax and CHSum return the conjunction of a subset of the atomic con- 
straints of ch{c, d). Note that if in the definition of CHMax we replace by 
we get an operator which is not a generalization operator. 

(G5) Given any two constraints c and d, we define the operator CHWidenMax, 
denoted Qchwm, as follows: cQchwm d = cQwm ch{c, d). Similarly, we define the 
operator CHWidenSum, denoted Qchws, as follows: cQchws d = cQws ch{c, d). 
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c 


— Ai<U, — Z + Ai<.U 


i — Ai<U, — 2 + Ai<.U 


1-Xi<0,-1+Xi<0, 

;ss:2<o, -X2<o 


d 


2-Jti<0, 1-X2<0 


-Xi<0 


Xi<0, -Xi<0, 
2-X2<0, -2+X2<0 


c Qw d 


-Xi<0 


true 


-1+Jfl<0,-X2<0 


c QwM d 


2-Xi<0, 1-X2<0 


-Xi<0 


l-Xi<0, -1+Xi<0, 

-X2<0 


C Q CHM d 


-Xi<0 


-Xi<0 


-X2<0 


C QCHWM d 


-Xi<0 


-Xi<0 


-1+Xi<0, -J^2<0 



Table 2. Examples of application of generalization operators. 

The operators Qchwm and Qchws are generalization operators w.r.t. the thin 
wqo's and ^s, respectively. 

Both CHWidenMax and CHWidenSum return the conjunction of a subset of the 
atomic constraints of c and a subset of the atomic constraints of c/i(c, d). 

Note that some other combinations of the widening and convex hull operators 
would not yield new generalization operators. Indeed, for all constraints c and d, 
we have that: (i) cQt ch{c, d) — cQt d, (ii) cQw ch{c, d) = cQw (iii) cQchm 
ch{c, d) ^ c QcHM d, and (iv) c Qchs ch{c, d) = c Qchs d. 

It can be shown that the generalization operators defined at points (G1)-(G5) 
above are pairwise distinct. Table [2] shows some examples of application of gener- 
alization operators. 

In order to compare our generalization operators we extend the C partial ordering 
on constraints to a partial ordering, also denoted C, on generalization operators, as 
follows: 01 C 02 (and we say that 0i is less general than 02) iff, for all constraints 
c and d, (cQid) C (c02(i). Figure [2jB) shows the relationships between general- 
ization operators. (The numbers appearing under each generalization operator will 
be explained in Section [5j) The operators not connected by any sequence of arrows 
are not comparable w.r.t. C. 

5 Experimental Evaluation 

In this section we present the results of the experiments we have performed on sev- 
eral examples of verification of infinite state reactive systems. We have implemented 
the verification algorithm presented in Section [2] using MAP, an experimental sys- 
tem for transforming constraint logic programs (MAP 2011p . The MAP system is 
implemented in SICStus Prolog 3.12.8 and uses the clpq library to operate on 
constraints. 

We have considered the following mutual exclusion protocols and we have verified 
some of their properties, (i) Bakery (jPelzanno and Podelski 2001[) : we have verified 
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safety (that is, mutual exclusion) and liveness (that is, starvation freedom) in the 
case of two processes, and safety in the case of three processes; (ii) MutAst (jLesens and Sai'di 1997P : 
we have verified safety in the case of two processes; (iii) Peterson (jBardin et al. 2008| : 
we have verified safety in the case of N (> 2) processes by considering a counting ab- 
straction of the protocol ([Delzanno 2003[) : and (iv) Ticket ([Delzanno and Podelski 200ip : 
we have verified safety and liveness in the case of two processes. 

We have also verified safety properties of the following cache coherence protocols: 
(v) Berkeley RISC, (vi) DEC FireHy, (vh) IEEE Futurebus+, (vih) Illinois Univer- 
sity, (ix) MESI, (x) MOESI, (xi) Synapse JV+1, and (xii) Xerox PARC Dragon. We 
have considered parameterized versions of the protocols (v)-(xii), that is, protocols 
designed for an arbitrary number of processors. We have applied our verification 
method to the counting abstractions described in (jPelzanno 2003p . 

Then we have verified safety properties of the following systems, (xiii) Bar- 
ber (jBultan 2000p : we have considered a parameterized version of this protocol with 
a single barber process and an arbitrary number of customer processes; 

(xiv) Bounded Buffer and Unbounded Buffer: we have considered protocols for two 
producers and two consumers which communicate via a bounded and an unbounded 

buffer, respectively (the encodings of these protocols are taken from (jPelzanno and Podelski 200ip ): 

(xv) Consprodjava, which is (a counting abstraction of) a producer-consumer Java 
program realized using threads: we have verified that for any number of threads 
there is no deadlock (jBardin et al. 2008t ; (xvi) CSM is a central server model de- 
scribed in (jPelzanno et al. 1999^ : (xvii) Consistency, which is a directory-based 
consistency protocol for client-server distributed systems (proposed by Steven Ger- 
man) (jBardin et al. 2008]) : we have considered two versions of the system and 
we have verified that mutual exclusion is preserved for any number of processes; 
(xviii) Insertion Sort and Selection Sort: we have considered the problem of check- 
ing array bounds of these two sorting algorithms, parameterized w.r.t. the size of 
the array, as presented in (jPelzanno and Podelski 200ip : (xix) Office Light Con- 
trol (jYavuz-Kahveci and Bultan 2009P is a protocol for controlling how office lights 
are switched on and off, depending on room occupancy; (xx) Reset Petri Net is a 
Petri Net augmented with reset arcs: we have considered a reachability problem for a 
net which is a variant of one presented in (jLeuschel and Lehmann 2000) : (xxi) Kan- 
ban is a Petri Net modelling a concurrent production system (jBardin et al. 2008| : 
we have verified that the value of certain control variables are bound within some 
specified limits; (xxii) Train is an encoding of a control system for speed regulation 
of subway trains (jBardin et al. 2008| : we have verified that a train is never too 
early or too late with respect to its expected arrival time. 

Tables [3] and ID show the results of running the MAP system on the above ex- 
amples by using the firing relation Always in conjunction with each of the eight 
generalization operators introduced in Section |4l In particular, Table |3| reports, for 
each example, the total verification time, that is, the time taken by the Verification 
algorithm, if it terminates, and Table |4| reports the specialization time, that is, the 
time taken by the Specialize procedure only. For a meaningful comparison between 
total specialization times, we have omitted from Table ID the times relative to the 
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Consprodjava example, for which the Specialize procedure does not terminate when 
using some of the generalization operators. 
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Table 3. Verification times for the MAP system. For each example we show the 
total verification time (Phases 1 and 2) obtained by using the firing relation Always 
in conjunction with the generalization operators: 0r, Giy, Qchm, Qchs, Ochwm, 
OcHWS, OwM, and Qws- Times are expressed in milliseconds (ms). 'oo' means no 
answer within 100 seconds. 



Let us compare the various generalization operators with respect to precision, 
that is, with respect to the number of properties verified. As expected, we have 
that precision increases when we use less general generalization operators, that is, 
precision is anti-monotonic with respect to the C relation (precision increases when 
going down in Figure [2jB)). This anti-monotonicity is explained by the fact that 
the use of less general generalization operators may produce specialized programs 
that better exploit the information about both the initial state and the property 
to be verified. 

Let us now compare the various generalization operators with respect to the spe- 
cialization time. We have that specialization times increase when we use less general 
generalization operators, that is, specialization time is anti-monotonic with respect 
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Table 4. Specialization times for the MAP system. For each example we show the 
specialization time (Phases 1 only) obtained by using the firing relation Always in 
conjunction with the generalization operators: 0t, Qw, Qchm, Qchs, Qchwm, 
QcHWS, 0WM, and Qws- Times are expressed in milliseconds (ms). 



to the C relation (specialization time increases when going down in Figure HfB)). 
This is due to the fact that less general generalization operators may introduce 
more definitions and, therefore, the specialization phase may take more time. Note 
also that the generalization operators that use the convex hull operators (that is, 
QcHM, Qchs, Qchwm, and Qchws) exhibit higher specialization times than the 
ones that do not. This is due to the extra cost of computing the convex hull which, 
however, does not always correspond to an increase of precision. 

If we compare the various generalization operators by using them in conjunction 
with each firing relation Maxcoeff, Sumcoeff, and Homeocoeff, instead of Always, we 
get similar anti-monotonicity results (not shown here) for precision and specializa- 
tion times. 

Let us now compare the firing relations Always, Maxcoeff, Sumcoeff, and Home- 
ocoeff. We may expect that a firing relation that determines fewer generalization 
steps, also determines the introduction of more definitions and, therefore, we may 
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expect that both precision and speciahzation time are anti-monotonic with respect 
to C (they increase when going down in Figure [2JA)). This anti-monotonicity is, 
in fact, observed in our experiments except for the case of the Homeocoejf firing 
relation (see Figure [2KA)). This is explained by the fact that the specialization 
times obtained by using the Homeocoeff firing relation are very high and, there- 
fore, the execution of the Specialize procedure is often longer than the time limit 
of 100 seconds we have assumed as a time out. Note also that the modest increase 
of precision from Always to MaxcoejJ or Sumcoeff (from 191 to 193) is paid by a 
considerable increase of specialization time (from 5450 ms to 64050 ms). 

In summary, if we consider the balance between precision and time, the gener- 
alization strategies that use Always as firing relation and either Qwm or Qws ^ 
generalization operators, outperform all the others. In particular, the generaliza- 
tion strategies based on the homeomorphic embedding as a firing relation (that 
is, Homeocoeff) and the convex hull operator (that is, Qchm, Qchs, Qchwm, and 
QcHWs) turn out not to be the best strategics in our examples. 

In order to compare the implementation of our verification method using MAP 
with other constraint-based model checking tools for infinite state systems available 
in the literature, we have done the verification examples described in Table[3]on the 
following systems as well: (i) ALV (jYavuz-Kahveci and Bultan 2009p . which com- 
bines BDD-based symbolic manipulation for boolean and enumerated types, with 
a solver for linear constraints on integers, (ii) DMC (jPelzanno and Podelski 2001[) . 
which computes (approximated) least and greatest fixpoints of CLP(R) programs, 
and (iii) HyTech ( [Henzinger et al. 1997[ ), a model checker for hybrid systems which 
handles constraints on reals. All experiments with the MAP, ALV, DMC, and 
HyTech systems have been performed on an Intel Core 2 Duo E7300 2.66GHz 
under the Linux operating system. Table [S] reports the results obtained by using 
various options available in those verification systems. 

Table[n]indicates that, in terms of precision, MAP with either the WMor the WS 
generalization operator is the best system (27 properties verified out of 28), followed 
by ALV with the default option (20 out of 28), DMC with the A (abstraction) option 
(19 out of 28), and HyTech with the Bw (backward reachability) option (18 out 
of 28). 

In order to compare the systems in terms of verification times, now we consider 
the options that give the best precision, that is, MAP with WM, ALV with default, 
DMC with A, and HyTech with Bw. Then we compare MAP to every other system 
by computing the average verification time over the set of examples where the 
systems terminate. We have that MAP has better average time than ALV (2343 ms 
and 9816 ms average time, respectively, over the 20 examples where both systems 
terminate), and MAP has also better average time than DMC (298 ms and 819 ms, 
respectively, over 19 examples). However, MAP has a slightly worse average time 
than HyTech (519 ms and 331 ms, respectively, over 18 examples). This is explained 
by the fact that HyTech with the Bw option tries to verify a safety property with 
a very simple strategy, that is, by constructing the reachability set backwards from 
the property to be verified, while MAP applies much more sophisticated techniques. 
Note also that the average verification times are affected by the peculiar behaviour 
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on some specific examples. For instance, in the Bomided Buffer and the Barber 
examples the MAP system has longer verification times with respect to HyTech, 
because these examples can be easily verified by backward reachability and, thus, 
the MAP specialization phase, which propagates the information about the initial 
state, is redundant. On the opposite side, MAP is more efficient than HyTech in 
the IEEE Futurebus+ and BakeryS examples. 

6 Conclusions 

This paper extends earlier work presented in (jFioravanti et al. 2001|lF"ioravanti et al. 201ip . 
We have presented a specialization-based method for the verification of CTL prop- 
erties of infinite state reactive systems. Our method consists of two phases: in 
Phase (1) a CLP specification of the reactive system is specialized w.r.t. the initial 
state and the temporal property to be verified, and in Phase (2) the perfect model 
of the specialized program is constructed in a bottom-up way. 

For Phase (1) we have focused on the generalization strategy which is applied dur- 
ing program specialization and which often determines the quality of the specialized 
program. We have considered various generalization strategies that employ different 
firing relations, for deciding when to apply generalization, and generalization opera- 
tors, for deciding how to generalize. The notions of firing relation and generalization 
operator extend to CLP the notions of whistle algorithm and most specific gener- 
ahzation operator, respectively, which have been proposed for positive supercompi- 
lation (|S0rensen and Gliick 1995| ) and partial deduction flLeuschel et al. lOM]) . For 
defining firing relations we have extended well-binary relations already considered 
in the program specialization literature, such as the homeomorphic embedding rela- 
tion (jLeuschel 20021 iLeuschel et al. 19981 |S0rensen and Gliick 19951 ), and for defin- 
ing generalization operators we have adapted notions from the area of static pro- 
gram analysis, such as the ones of widening and convex hull (jCousot and Halbwachs 1978p . 
We have also introduced some new notions based on maximal coefficients and sums 
of coefficients of polynomials. 

We have applied our verification method to several examples of infinite state 
systems taken from the literature, and we have compared the results in terms of 
precision and efficiency (that is, the number of properties which have been verified 
and the time taken for verification). On the basis of our experimental results we have 
found that some generalization strategies outperform all the others. In particular, 
the strategies based on maximal coefficients and sums of coefficients appear to have 
the best balance between precision and efficiency. 

Then, we have applied other tools for the verification of infinite state systems (in 
particular, ALV (|Yavuz-Kahveci and Bultan 2009| . DMC (|Delzanno and Podelski 2001|) . 
and HyTech ()Henzinger et al. 1997D ) to the same set of examples. The experiments 
show that our specialization-based verification system is quite competitive, espe- 
cially in terms of precision. 

Our approach is closely related to other verification methods for infinite state sys- 
tems based on the specialization of (constraint) logic programs (jLeuschel and Lehmann 2000| 
ILeuschel and Massart 2000| [Peralta and Gallagher 2003] ) . However, unlike the ap- 
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Table 5. Comparison of the MAP, ALV, DMC, and HyTech verification systems. 
Times are expressed in miUiseconds. (i) '_L' means termination with the answer: 
'Unable to verify', (ii) 'ex)' means 'No answer' within 100 seconds, (iii) 'x' means 
that the test has not been performed (HyTech has no built-in for checking liveness) . 
For the MAP system we show the total verification times with the WM and WS 
generalization operators (see the last two columns of Table [3]). For the ALV system 
we show the times for four options: default^ A (with approximate backward fixpoint 
computation), F (with approximate forward fixpoint computation), and L (with 
computation of loop closures for accelerating reachability). For the DMC system 
we show the times for two options: noAhs (without abstraction) and Abs (with 
abstraction). For the HyTech system we show the times for two options: Fw (forward 
reachability) and Bw (backward reachability). 
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proach proposed in (I Leuschel and Lehmann 20001 ILeuschel and Massart 2000)) we 
use constraints, which give us very powerful ways for dealing with infinite sets of 



states. The specialization-based verification method presented in (Peralta and Gallagher 20031 
consists of one phase only, incorporating top-down query directed specialization 
and bottom-up answer propagation. That method is restricted to definite con- 
straint logic programs and makes use of a generalization technique which com- 
bines widening and convex hull computations for ensuring termination. However, 
in ( Peralta and Gallagher 2003[ ) only two examples of verification have been pre- 
sented (the Bakery protocol and a Petri net) and no verification times are reported 
and, thus, it is hard to make an experimental comparison of that method with our 
method. 

Another approach based on program transformation for verifying parameterized 
systems has been presented in ( [Roychoudhury et al. 2000 [). It is an approach based 
on unfold/fold transformations which are more general than the ones used by us. 
However, the strategy for guiding the unfold/fold rules proposed in ( [Roychoudhury et al. 2000| ) 
works in fully automatic mode in a small set of examples only. 

Finally, we would like to mention that our verification method can be regarded as 
complementary with respect to the methods for the verification of infinite state sys- 
tems based on abstraction (lAbdulla et al. 2009"Banda and Gallagher 2010':'Cla rke et al. 1994| 
IDams et al. 1997|lDeIzanno and Podelski 2001; Gecr aerts et a l. 2006; Godcfroi d et al. 200ip . 
These methods work by constructing approximations of the set of reachable states 
that satisfy a given property. In contrast, the specialization technique applied dur- 
ing Phase (1) of our method, transforms the program for computing sets of states, 
but it does not change the set of states satisfying the property of interest. More- 
over, during Phase (2) we perform an exact computation of the perfect model of 
the transformed program. 

Further enhancements of infinite state verification could be achieved by com- 
bining program specialization and abstraction. In particular, an extension of our 
method could be done by replacing the bottom-up, exact computation of the 
perfect model performed in Phase (2), by an approximated computation in the 
style of ( Banda and Gallagher 20T0{ IDelzanno and Podelski 200ip . However, this 
extension would require the computation of both over-approximations and under- 
approximations of models, because of the presence of negation. An interesting di- 
rection for future research is the study of how to combine in the best way, both 
in terms of precision and efficiency, the verification techniques based on program 
specialization and the ones based on abstraction. 
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